Pypi · Flask · CVE-2023-30861
**Name of the Vulnerable Software and Affected Versions**
Flask versions prior to 2.3.2
Flask versions prior to 2.2.5
**Description**
The issue arises when a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all the following conditions being met:
1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets `session.permanent = True`.
3. The application does not access or modify the session at any point during a request.
4. `SESSION REFRESH EACH REQUEST` is enabled (the default).
5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.
This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.
**Recommendations**
To resolve the issue for versions prior to 2.3.2, update to version 2.3.2 or later.
To resolve the issue for versions prior to 2.2.5, update to version 2.2.5 or later.
As a temporary workaround, consider setting a `Cache-Control` header to indicate that a page is private or should not be cached.
Restrict access to the caching proxy to minimize the risk of exploitation.